Mozi Malware - Finding Breadcrumbs...
2021 ж. 28 Ақп.
197 115 Рет қаралды
If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
Dragging the spooky.elf into GHIDRA, it opens it just fine, and I should have tried that during the video. Embarrassing mistake, sorry. (And yes, I know that is by Fall Out Boy, not Green Day. I was just trolling ;P )
No worries :)
@John Hammond this is a worm used to infect routers so they can monitor router data and etc
the default passwords may be for routers, people often forget to change them. there are sites that if you look up a router you can get a list of default passwords
@@dannygaming1216 no it's for ddos. It's mirai. All of those iptables block rules and deleting stuff is to stop other scanners running some exploits so they exclusively have the bot.
@@noobian3314 I've seen a worm that gets into the router to allow it to collect data to sell it or for blackmail and for ddos
"Please send me malware" -John Hammond
Famous last wards...
"Welcome to Jurrasic Park" - John Hammond
04:05 $ mkdir Mozi $ ls Listing an empty freshly created directory shows you, that you are dealing with a professional. People who don’t do this are either noobs or psychopaths.
Agree >_
Why is this?
@@chillytheprogrammer Habits. Muscle memory. I belive John made a community post about this lol. edit: kzhead.info/tools/VeW9qkBjo3zosnqUbG7CFw.htmlcommunity?lb=UgxZplo8gPKIFaDSPVN4AaABCQ I was right :D
I do this all the time. Why? I have no idea.
mkdir is most tested software ever written.
Cool trick “-fix-broken” That’s why I like John’s videos even when he thinks he fails. I level up ⬆️
Or `-f` for short!
somehow my evening routine of lying on the couch and watching netflix changed to lying on the couch and watching john hammond do malware analysis... :)
Welcome brother 😂
Would love to see a mini series about setting up a honey pot and seeing what fun stuff comes through!
How would one do that?
@@bannedthricelol8799 step 1: install metasploitable somewhere step 2: buy an domain for metasploitable and show it somewhere so posible hackers try to hack it step 3: profit btw metasploitable may seem sus since it has a lot of vulnerabilities up to the point where it seems fake
@@bannedthricelol8799 just make a honey pot its that easy
Yes!!! A malware Harvester🤩🤩🤩
It's worth it... Tpot - you can do that yourself. :)
RIP nano on the side over there, he served his purpose in his less than 5-minute life span, let's take a moment of silence to remember how he stored the file size in hex for 2 minutes and then died peacefully...
🤣
john killed him :((
Na no
nano lives matter
25:40 Tip: you can simulate a slower connection to see things clearer in the devtools by clicking the "Throttling" dropdown
nice info
Even though this is a 2 year old video I just started watching your KZhead channel a day or two or something like that but I like your content brother keep up your hard work I don't know if you do live on here or not but if you do I would love to see one of those live!!! If not keep it up I'll keep learning 😅😅 stay safe out there
I see a lot of Mozi traffic requests at work. Usually targeting IoT nix systems, routers, and low hanging fruit exploits attempting to spread around.
John, I love it! This is exactly what I do too. I don’t know what I’m doing but it’s fun to just scroll through to see if you see anything and sure enough you do. You also learn so much just by poking around.
I stumbled across your channel a couple of days ago, and have been binge watching ever since. Great job, and impressive resume.
I just found your channel and couldn't be happier. Great energy, looking forward to digging in.
I’m loving this series! Please do one explaining the methods you use.
For hexedit : go to start/end of the file
Even if I am barely understanding what is going on I found your videos very entertaining and educational! Thumbs up!
I found your channel yesterday and have been bingewatching hardcore. Ur vids are great!
I've discovered your channel recently and i really like it ! You are very inspiring, thank you for this amazing content !
People: "What do you do for a living?" John: "I look at malware-strings no matter how long they are."
I have a computer science degree and can confirm I also have no idea what MIPS is.
its a RISC cpu by motorola. found on older systems and maybe routers
These videos are getting better and better ! Can't wait for what's next !
Love the Malware Analysis videos! And the commentary is entertaining man! Keep uploading and I'll keep watching! Thanks for the great content.
Really loving the Malware analysis videos. My morning routine is now watching these videos over reading a news paper 😂
Thank you for making these videos John!
Thanks for your video :D They're all awesome! The strange part is that I just yesterday figured out how to cross compile code for MIPS-I for my router (it's exact the same elf type as this virus). I never heard about this architecture untill about a week ago and suddenly you upload the video with this malware intended for routers. Anyway, love the passion that you share in your videos, please keep doing it haha :D
Awesome content. Thanks for putting up the video 👍🏻
"Sugar we're going down swinging, by Green Day" 😭😭😭
Me, a Fall Out Boy fan: *my disappointment is immeasurable and my day is ruined* Also Me, a John Hammond fan: I'm soooo happy there's a new video ^^
It made me sad too!
I like to "customize" my UPX. Shuffle the fields of the header struct around and (binary)shift the content. XOR the compression algo by the C64 NOP and add 69 to exactly that file size shown in the video:P Also using the wrong endianess on purpose will promote hair loss. Thanks for the great video, John!:)
Yay another one! thank you for your great work.
Dawg this is the most entertaining shit to watch, man. I listen to you like a podcast, I could actually listen/watch you all day.
Idk why it made me laugh so hard when you dragged your cam out of the window 😂😂😂😂
Just came across this video and I noticed at 27:01 there is some commands for cfgtool which also sets the TR-069 (CWMP) Access Control Server to localhost, which could do a whole lot of advanced configuration/diagnostics of the device including re-flashing the firmware of the device.
At 25:24 the text scanned by Google translate is: "-先进的比特币矿池" And the translation provided by it was: "-Advanced Bitcoin mining pool"
Awesome, thanks for more malware content!
BRO THAT OUTRO MUSIC GAVE ME SOME FLASHBACKS AND NOSTALGIA
appreciate you brother. keep teaching us please.
MIPS is usually found on routers and this is targeting routers in beginning allowing the attacker to get into the network (hence the iptables allow)
Is there malware that nestles in the router before ever getting to the user machine? Would downloading it be enough for it to deploy? Or could it target the router through the VM?
This guy is a gem. Liking and commenting for the KZhead algorithm
This’ll be a good one, see you all here
Loving the malware analysis vids John - keep repping the blue team :)
The particular characters mean the exactly the same thing as the English title, but in Chinese. That site probably just translated it
god damn so much like!! i like these break downs! they are awesome!
@John Hammond 28:53 That highlighted command is a trick to check whether or not busybox is installed I suppose. :) Keep that in mind John that all commandss like apt etc. etc. are in fact a bin finle that is stored in /bin directory, so I think this is a instruction for DD to look inside bin folder and look for busybox folder/check for its existance. :)
Thank you!
I got a cool one at work that was a phishing attempt through a Google Drive. Instantly made me think of your deconstruction videos.
I think the 114 dns, that we saw, is just a normal Chinese based dns server; nothing malicious in nature about the dns itself. It could be there to add more "surface area" to the malware.
This is going to be great!
You can kind of think of MIPS like a simpler version of ARM. It's assembly code is so much simpler compared to say ARM or x86 that my University uses it to teach assembly basics and concepts of how a processor works. In my experience it's very common in SOHO networking and IoT devices.
Hi John love the videos! You think you could make a tutorial on setting up a safe environment to explore malicious programs? I know virtual environments, are a start, but I think getting a video template would help put some paranoia at bay. Thanks in advance and if you already uploaded this tutorial my apologies.
Big fan John! Always loved your content!
OOOh im excited for this one
I like catching these premieres. It's fun to watch, but lot's of it is over my head at this point.
John Hammond is amazing. I watch him and I dont know what he does most of the time
Nice video. Can't wait for the next one! :)
Good stuff, love this content man
Lol he says he aint educated yet rips through anything thrown at him 🤣 😂
still new to your videos, I am thinking of starting my pentesting journey again, you may have motivated me fellow ginger
I had you in the background, and as soon you mentioned netgear i was like, oh mips and netgear, he is in router infections.
Thank you so much
I just want to let you know that I'm screaming at you : "it's UPX packed ! why do you keep searching for string ? unpack it already !"
I Think reversing Malware Is fantastic I have learned so much from watching this Ty
Destroyed and annihilated the bell! Great content!
Ah yes, it might be late but every hour is cyber hour.
was reading up on some botnets using Twitter formatted messages yesterday and this video now the timing confirms John get out of my computer!
Thanks for the great video. I would like to be like you as a professional in virus analysis.
Love your energy
37:35 John, you have to "import file" (i) not "Open filesystem" (ctrl+i)
Do you know the difference between the two? What was Ghidra trying to do with .elf with the ctrl+i option which failed? :o
A very entertaining analysis
Video title: "breadcrumbs" (also a new box on hackthebox ) Me: should definitely watch this
Shout out from the Philippines!
These videos are so good!!!!!
Maybe you already know that, but there is a nice Java based MIPS emulator called MARS. It is developed by the Missouri State University under the MIT license. It has some nice features like step by step execution and register editing. So if you at one point want to/need to work with MIPS, this is a great tool to assist you
0:00 John Hammond == John Hammond == John Hammond
I all-time following you sir
Very interesting!
Love this videos!!!
Sees John posted another malware analysis: Likes the video. Simple as.
5:37 this reaction is a gold xD
Awesome video! Keep it up!
Great video
John hammond: Please send me malware. Me: John hammond is hungry for malwares.
Bro I am completely beginner. Thanks a lot for best strings
Awesome!
John, I just thought of a Tag Line for this type of video for you. “Down the Rabbit Hole with John Hammond” 😁
JOHN I WANT TO YELL AT YOU FOR ... Creating a great video 🤪
I hope you will continue with reversing malware 4ever
When you’re so early that john’s hearted every comment
Always here John!
These iptables commands in the file are firewall rules (iptables is widely used on Linux) probably to open ports on your device.
This one is doing a lot, really a lot of stuff, might even do rat, great video
your videos are very entertaining and you get to learn a lot. What else is needed???
it's nice to know how that things work ;)
I really like this one
Hey John! love your content! Just a quick question. How do you CTF creators hide text in images? What tools do you use?
There are loads of Steganography utilities, my favourite is Outguess!
There's also jphide & seek and steghide, they're good ones too!
I'm bummed out that Ruxcon seems to be over. Would have been cool to have met you in Oz some time John.
you and muda from someordinarygamer are so similar its crazy. love your content it is very informative and revealing.
oo another malware analysis
a good tool is miranda , for MIPS systems
Can't wait XD
Any advice for learning how to start deconstructing and creating malware, I have a decent knowledge of c++, python, but mostly Java